]> git.ipfire.org Git - thirdparty/kernel/linux.git/commit
projects / thirdparty / kernel / linux.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: aaeff14) | patch
crypto: testmgr - desupport SHA-1 for FIPS 140
authorVegard Nossum <vegard.nossum@oracle.com>
Wed, 21 May 2025 12:55:19 +0000 (14:55 +0200)
committerHerbert Xu <herbert@gondor.apana.org.au>
Fri, 13 Jun 2025 09:26:16 +0000 (17:26 +0800)
commit9d50a25eeb05c45fef46120f4527885a14c84fb2
treef82021e93bc647b57b80c0c31c45d58c64a299bbtree
parentaaeff14688d0254b39731d9bb303c79bfd610f7dcommit | diff
crypto: testmgr - desupport SHA-1 for FIPS 140

The sunset period of SHA-1 is approaching [1] and FIPS 140 certificates
have a validity of 5 years. Any distros starting FIPS certification for
their kernels now would therefore most likely end up on the NIST
Cryptographic Module Validation Program "historical" list before their
certification expires.

While SHA-1 is technically still allowed until Dec. 31, 2030, it is
heavily discouraged by NIST and it makes sense to set .fips_allowed to
0 now for any crypto algorithms that reference it in order to avoid any
costly surprises down the line.

[1]: https://www.nist.gov/news-events/news/2022/12/nist-retires-sha-1-cryptographic-algorithm

Acked-by: Stephan Mueller <smueller@chronox.de>
Cc: Marcus Meissner <meissner@suse.de>
Cc: Jarod Wilson <jarod@redhat.com>
Cc: Neil Horman <nhorman@tuxdriver.com>
Cc: John Haxby <john.haxby@oracle.com>
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
crypto/testmgr.c diff | blob | blame | history
A mirror of Linus' kernel repository